It’s the most frantic time of the year, isn’t it? From “Black Friday Starts Now!” on November 1 through to “Place your order by December 18 for guaranteed delivery!” and finally to “There’s still time!” and “Great last-minute gifts!” — it would certainly seem so by looking at most people’s overflowing personal inboxes.
It’s also, however, the perfect time for bad actors to jump into the fray, impersonate your brand, and scam your customers out of their holiday shopping funds and sensitive personal info.
CISA, the FBI, and other government and law enforcement agencies issue annual warnings to consumers about common holiday shopping and charitable donation scams, advising them to be wary of deals that look too good to be true, secure their accounts, and avoid giving out sensitive information over various media. But as you increase your marketing message volume to consumers, so do those bad actors — and they’re taking advantage of generative AI tools to mimic your logo, language, and landing pages more accurately than ever. And if a consumer is taken in by a well-crafted look-alike, they lose trust in your brand regardless.
What can you do to protect your customers and your reputation from human-element breach types like phishing, SMShing, Vshing, and Qshing?
There are two actions that you can take that may involve revisiting or revamping security practices you’ve already put in place. This holiday season and beyond, be sure to:
- Enforce DMARC across all your sending domains. Domain-based Message Authentication, Reporting, and Conformance (DMARC), along with DKIM and SPF, prevent attackers and scammers from faking email domains to send malicious, fraudulent emails. Organizations that successfully implement DMARC also prevent unauthorized users from sending email as if they were an authorized sender such as an email marketing service provider.
-
- How: Collaborate with security colleagues to implement the DMARC protocol and test Brand Indicators for Message Identification (BIMI) to help protect your brand, bolster customer trust, and defend against phishing. And be sure that your service providers are monitoring DMARC configurations and status regularly for all your domains.
- Get explicit in your security messages. Your customers should know how you will and how you will not communicate with them. That’s especially important given all the successful social engineering attempts we’ve seen and the trend toward targeted, multipronged campaigns using voice, text, email, and even deepfake audio and video.
-
- How: Provide them with visuals as to what your confirmation and delivery status emails or texts will include. Security messages from you should precede your high-volume seasons or events and give customers instructions on how to examine the links behind QR codes to verify your official domains. They should offer one phone number they can call to verify communications from you should they have any doubts; also give them a support email address to which they can forward suspicious emails claiming to be from your company or brand. And finally, your communications should let customers know under what circumstances, if any, for which a representative from your company would call them.
If you’re a Forrester client and would like to discuss these and other preventive measures further, please set up a guidance session or inquiry with us.
Additionally, it’s not just Black Friday and Cyber Monday deal chasers falling for phishing messages. I’m facilitating a workshop at Forrester’s upcoming Security & Risk Summit for security pros on thwarting social engineering attempts against your workforce through a balance of tech and training efforts such as those mentioned above. Join us in Baltimore on December 9–11 for this workshop and other sessions designed to help security and risk leaders and their teams secure their organization, build trust, and move their business forward.